Описание
Security update for librepo
This update for librepo fixes the following issues:
- Upgrade to 1.12.1
- Validate path read from repomd.xml (bsc#1175475, CVE-2020-14352)
- Changes from 1.12.0
- Prefer mirrorlist/metalink over baseurl (rh#1775184)
- Decode package URL when using for local filename (rh#1817130)
- Fix memory leak in lr_download_metadata() and lr_yum_download_remote()
- Download sources work when at least one of specified is working (rh#1775184)
This update was imported from the SUSE:SLE-15-SP2:Update update project.
Список пакетов
openSUSE Leap 15.2
librepo-devel-1.12.1-lp152.2.6.1
librepo0-1.12.1-lp152.2.6.1
python3-librepo-1.12.1-lp152.2.6.1
Ссылки
- E-Mail link for openSUSE-SU-2021:0277-1
- SUSE Security Ratings
- SUSE Bug 1175475
- SUSE CVE CVE-2020-14352 page
Описание
A flaw was found in librepo in versions before 1.12.1. A directory traversal vulnerability was found where it failed to sanitize paths in remote repository metadata. An attacker controlling a remote repository may be able to copy files outside of the destination directory on the targeted system via path traversal. This flaw could potentially result in system compromise via the overwriting of critical system files. The highest threat from this flaw is to users that make use of untrusted third-party repositories.
Затронутые продукты
openSUSE Leap 15.2:librepo-devel-1.12.1-lp152.2.6.1
openSUSE Leap 15.2:librepo0-1.12.1-lp152.2.6.1
openSUSE Leap 15.2:python3-librepo-1.12.1-lp152.2.6.1
Ссылки
- CVE-2020-14352
- SUSE Bug 1175475